1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/systm.h> 29 #include <sys/stream.h> 30 #include <sys/cmn_err.h> 31 #include <sys/md5.h> 32 #include <sys/kmem.h> 33 #include <sys/strsubr.h> 34 #include <sys/random.h> 35 #include <sys/tsol/tnet.h> 36 37 #include <netinet/in.h> 38 #include <netinet/ip6.h> 39 40 #include <inet/common.h> 41 #include <inet/ip.h> 42 #include <inet/ip6.h> 43 #include <inet/sctp_ip.h> 44 #include <inet/ipclassifier.h> 45 #include "sctp_impl.h" 46 47 /* 48 * Helper function for SunCluster (PSARC/2005/602) to get the original source 49 * address from the COOKIE 50 */ 51 int cl_sctp_cookie_paddr(sctp_chunk_hdr_t *, in6_addr_t *); 52 53 /* 54 * From RFC 2104. This should probably go into libmd5 (and while 55 * we're at it, maybe we should make a libdigest so we can later 56 * add SHA1 and others, esp. since some weaknesses have been found 57 * with MD5). 58 * 59 * text IN pointer to data stream 60 * text_len IN length of data stream 61 * key IN pointer to authentication key 62 * key_len IN length of authentication key 63 * digest OUT caller digest to be filled in 64 */ 65 static void 66 hmac_md5(uchar_t *text, size_t text_len, uchar_t *key, size_t key_len, 67 uchar_t *digest) 68 { 69 MD5_CTX context; 70 uchar_t k_ipad[65]; /* inner padding - key XORd with ipad */ 71 uchar_t k_opad[65]; /* outer padding - key XORd with opad */ 72 uchar_t tk[16]; 73 int i; 74 75 /* if key is longer than 64 bytes reset it to key=MD5(key) */ 76 if (key_len > 64) { 77 MD5_CTX tctx; 78 79 MD5Init(&tctx); 80 MD5Update(&tctx, key, key_len); 81 MD5Final(tk, &tctx); 82 83 key = tk; 84 key_len = 16; 85 } 86 87 /* 88 * the HMAC_MD5 transform looks like: 89 * 90 * MD5(K XOR opad, MD5(K XOR ipad, text)) 91 * 92 * where K is an n byte key 93 * ipad is the byte 0x36 repeated 64 times 94 * opad is the byte 0x5c repeated 64 times 95 * and text is the data being protected 96 */ 97 98 /* start out by storing key in pads */ 99 bzero(k_ipad, sizeof (k_ipad)); 100 bzero(k_opad, sizeof (k_opad)); 101 bcopy(key, k_ipad, key_len); 102 bcopy(key, k_opad, key_len); 103 104 /* XOR key with ipad and opad values */ 105 for (i = 0; i < 64; i++) { 106 k_ipad[i] ^= 0x36; 107 k_opad[i] ^= 0x5c; 108 } 109 /* 110 * perform inner MD5 111 */ 112 MD5Init(&context); /* init context for 1st */ 113 /* pass */ 114 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 115 MD5Update(&context, text, text_len); /* then text of datagram */ 116 MD5Final(digest, &context); /* finish up 1st pass */ 117 /* 118 * perform outer MD5 119 */ 120 MD5Init(&context); /* init context for 2nd */ 121 /* pass */ 122 MD5Update(&context, k_opad, 64); /* start with outer pad */ 123 MD5Update(&context, digest, 16); /* then results of 1st */ 124 /* hash */ 125 MD5Final(digest, &context); /* finish up 2nd pass */ 126 } 127 128 /* 129 * If inmp is non-NULL, and we need to abort, it will use the IP/SCTP 130 * info in initmp to send the abort. Otherwise, no abort will be sent. 131 * 132 * An ERROR chunk and chain of one or more error cause blocks will be 133 * created if unrecognized parameters marked by the sender as reportable 134 * are found. This error chain is visible to the caller via *errmp. 135 * 136 * When called from stcp_send_init_ack() while processing parameters 137 * from a received INIT_CHUNK want_cookie will be NULL. 138 * 139 * When called from sctp_send_cookie_echo() while processing an INIT_ACK, 140 * want_cookie contains a pointer to a pointer of type *sctp_parm_hdr_t. 141 * However, this last pointer will be NULL until the cookie is processed 142 * at which time it will be set to point to a sctp_parm_hdr_t that contains 143 * the cookie info. 144 * 145 * Note: an INIT_ACK is expected to contain a cookie. 146 * 147 * Returns 1 if the parameters are OK (or if there are no optional 148 * parameters), returns 0 otherwise. 149 */ 150 static int 151 validate_init_params(sctp_t *sctp, sctp_chunk_hdr_t *ch, 152 sctp_init_chunk_t *init, mblk_t *inmp, sctp_parm_hdr_t **want_cookie, 153 mblk_t **errmp, int *supp_af, uint_t *sctp_options) 154 { 155 sctp_parm_hdr_t *cph; 156 sctp_init_chunk_t *ic; 157 ssize_t remaining; 158 uint16_t serror = 0; 159 char *details = NULL; 160 size_t errlen = 0; 161 boolean_t got_cookie = B_FALSE; 162 boolean_t got_errchunk = B_FALSE; 163 uint16_t ptype; 164 165 ASSERT(errmp != NULL); 166 167 if (sctp_options != NULL) 168 *sctp_options = 0; 169 170 /* First validate stream parameters */ 171 if (init->sic_instr == 0 || init->sic_outstr == 0) { 172 serror = SCTP_ERR_BAD_MANDPARM; 173 dprint(1, ("validate_init_params: bad sid, is=%d os=%d\n", 174 htons(init->sic_instr), htons(init->sic_outstr))); 175 goto abort; 176 } 177 if (ntohl(init->sic_inittag) == 0) { 178 serror = SCTP_ERR_BAD_MANDPARM; 179 dprint(1, ("validate_init_params: inittag = 0\n")); 180 goto abort; 181 } 182 183 remaining = ntohs(ch->sch_len) - sizeof (*ch); 184 ic = (sctp_init_chunk_t *)(ch + 1); 185 remaining -= sizeof (*ic); 186 if (remaining < sizeof (*cph)) { 187 /* 188 * When processing a received INIT_ACK, a cookie is 189 * expected, if missing there is nothing to validate. 190 */ 191 if (want_cookie != NULL) 192 goto cookie_abort; 193 return (1); 194 } 195 196 cph = (sctp_parm_hdr_t *)(ic + 1); 197 198 while (cph != NULL) { 199 ptype = ntohs(cph->sph_type); 200 switch (ptype) { 201 case PARM_HBINFO: 202 case PARM_UNRECOGNIZED: 203 case PARM_ECN: 204 /* just ignore them */ 205 break; 206 case PARM_FORWARD_TSN: 207 if (sctp_options != NULL) 208 *sctp_options |= SCTP_PRSCTP_OPTION; 209 break; 210 case PARM_COOKIE: 211 got_cookie = B_TRUE; 212 /* 213 * Processing a received INIT_ACK, we have a cookie 214 * and a valid pointer in our caller to attach it to. 215 */ 216 if (want_cookie != NULL) { 217 *want_cookie = cph; 218 } 219 break; 220 case PARM_ADDR4: 221 *supp_af |= PARM_SUPP_V4; 222 break; 223 case PARM_ADDR6: 224 *supp_af |= PARM_SUPP_V6; 225 break; 226 case PARM_COOKIE_PRESERVE: 227 case PARM_ADAPT_LAYER_IND: 228 /* These are OK */ 229 break; 230 case PARM_ADDR_HOST_NAME: 231 /* Don't support this; abort the association */ 232 serror = SCTP_ERR_BAD_ADDR; 233 details = (char *)cph; 234 errlen = ntohs(cph->sph_len); 235 dprint(1, ("sctp:validate_init_params: host addr\n")); 236 goto abort; 237 case PARM_SUPP_ADDRS: { 238 /* Make sure we have a supported addr intersection */ 239 uint16_t *p, addrtype; 240 int plen; 241 242 plen = ntohs(cph->sph_len); 243 p = (uint16_t *)(cph + 1); 244 while (plen > 0) { 245 addrtype = ntohs(*p); 246 switch (addrtype) { 247 case PARM_ADDR6: 248 *supp_af |= PARM_SUPP_V6; 249 break; 250 case PARM_ADDR4: 251 *supp_af |= PARM_SUPP_V4; 252 break; 253 default: 254 /* 255 * Do nothing, silently ignore hostname 256 * address. 257 */ 258 break; 259 } 260 p++; 261 plen -= sizeof (*p); 262 } 263 break; 264 } 265 default: 266 /* 267 * Handle any unrecognized params, the two high order 268 * bits of ptype define how the remote wants them 269 * handled. 270 * Top bit: 271 * 1. Continue processing other params in the chunk 272 * 0. Stop processing params after this one. 273 * 2nd bit: 274 * 1. Must report this unrecognized param to remote 275 * 0. Obey the top bit silently. 276 */ 277 if (ptype & SCTP_REPORT_THIS_PARAM) { 278 if (!got_errchunk) { 279 /* 280 * First reportable param, create an 281 * ERROR chunk and populate it with a 282 * cause block for this parameter. 283 */ 284 *errmp = sctp_make_err(sctp, 285 PARM_UNRECOGNIZED, 286 (void *)cph, 287 ntohs(cph->sph_len)); 288 got_errchunk = B_TRUE; 289 } else { 290 /* 291 * Add an additional cause block to 292 * an existing ERROR chunk. 293 */ 294 sctp_add_unrec_parm(cph, errmp); 295 } 296 } 297 if (ptype & SCTP_CONT_PROC_PARAMS) { 298 /* 299 * Continue processing params after this 300 * parameter. 301 */ 302 break; 303 } 304 305 /* 306 * Stop processing params, report any reportable 307 * unrecognized params found so far. 308 */ 309 goto done; 310 } 311 312 cph = sctp_next_parm(cph, &remaining); 313 } 314 done: 315 /* 316 * Some sanity checks. The following should not fail unless the 317 * other side is broken. 318 * 319 * 1. If this is a V4 endpoint but V4 address is not 320 * supported, abort. 321 * 2. If this is a V6 only endpoint but V6 address is 322 * not supported, abort. This assumes that a V6 323 * endpoint can use both V4 and V6 addresses. 324 * We only care about supp_af when processing INIT, i.e want_cookie 325 * is NULL. 326 */ 327 if (want_cookie == NULL && 328 ((sctp->sctp_family == AF_INET && !(*supp_af & PARM_SUPP_V4)) || 329 (sctp->sctp_family == AF_INET6 && !(*supp_af & PARM_SUPP_V6) && 330 sctp->sctp_connp->conn_ipv6_v6only))) { 331 dprint(1, ("sctp:validate_init_params: supp addr\n")); 332 serror = SCTP_ERR_BAD_ADDR; 333 goto abort; 334 } 335 336 if (want_cookie != NULL && !got_cookie) { 337 cookie_abort: 338 dprint(1, ("validate_init_params: cookie absent\n")); 339 sctp_send_abort(sctp, sctp_init2vtag(ch), SCTP_ERR_MISSING_PARM, 340 details, errlen, inmp, 0, B_FALSE); 341 return (0); 342 } 343 344 /* OK */ 345 return (1); 346 347 abort: 348 if (want_cookie != NULL) 349 return (0); 350 351 sctp_send_abort(sctp, sctp_init2vtag(ch), serror, details, 352 errlen, inmp, 0, B_FALSE); 353 return (0); 354 } 355 356 /* 357 * Initialize params from the INIT and INIT-ACK when the assoc. is 358 * established. 359 */ 360 boolean_t 361 sctp_initialize_params(sctp_t *sctp, sctp_init_chunk_t *init, 362 sctp_init_chunk_t *iack) 363 { 364 /* Get initial TSN */ 365 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 366 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 367 368 /* Serial number is initialized to the same value as the TSN */ 369 sctp->sctp_fcsn = sctp->sctp_lastacked; 370 371 /* 372 * Get verification tags; no byteordering is necessary, since 373 * verfication tags are never processed except for byte-by-byte 374 * comparisons. 375 */ 376 sctp->sctp_fvtag = init->sic_inittag; 377 sctp->sctp_sctph->sh_verf = init->sic_inittag; 378 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 379 sctp->sctp_lvtag = iack->sic_inittag; 380 381 /* Get the peer's rwnd */ 382 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 383 384 /* Allocate the in/out-stream counters */ 385 sctp->sctp_num_ostr = iack->sic_outstr; 386 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 387 sctp->sctp_num_ostr, KM_NOSLEEP); 388 if (sctp->sctp_ostrcntrs == NULL) 389 return (B_FALSE); 390 391 sctp->sctp_num_istr = iack->sic_instr; 392 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 393 sctp->sctp_num_istr, KM_NOSLEEP); 394 if (sctp->sctp_instr == NULL) { 395 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 396 sctp->sctp_num_ostr); 397 sctp->sctp_ostrcntrs = NULL; 398 return (B_FALSE); 399 } 400 return (B_TRUE); 401 } 402 403 /* 404 * Copy the peer's original source address into addr. This relies on the 405 * following format (see sctp_send_initack() below): 406 * relative timestamp for the cookie (int64_t) + 407 * cookie lifetime (uint32_t) + 408 * local tie-tag (uint32_t) + peer tie-tag (uint32_t) + 409 * Peer's original src ... 410 */ 411 int 412 cl_sctp_cookie_paddr(sctp_chunk_hdr_t *ch, in6_addr_t *addr) 413 { 414 uchar_t *off; 415 416 ASSERT(addr != NULL); 417 418 if (ch->sch_id != CHUNK_COOKIE) 419 return (EINVAL); 420 421 off = (uchar_t *)ch + sizeof (*ch) + sizeof (int64_t) + 422 sizeof (uint32_t) + sizeof (uint32_t) + sizeof (uint32_t); 423 424 bcopy(off, addr, sizeof (*addr)); 425 426 return (0); 427 } 428 429 #define SCTP_CALC_COOKIE_LEN(initcp) \ 430 sizeof (int64_t) + /* timestamp */ \ 431 sizeof (uint32_t) + /* cookie lifetime */ \ 432 sizeof (sctp_init_chunk_t) + /* INIT ACK */ \ 433 sizeof (in6_addr_t) + /* peer's original source */ \ 434 ntohs((initcp)->sch_len) + /* peer's INIT */ \ 435 sizeof (uint32_t) + /* local tie-tag */ \ 436 sizeof (uint32_t) + /* peer tie-tag */ \ 437 sizeof (sctp_parm_hdr_t) + /* param header */ \ 438 16 /* MD5 hash */ 439 440 void 441 sctp_send_initack(sctp_t *sctp, sctp_hdr_t *initsh, sctp_chunk_hdr_t *ch, 442 mblk_t *initmp) 443 { 444 ipha_t *initiph; 445 ip6_t *initip6h; 446 ipha_t *iackiph; 447 ip6_t *iackip6h; 448 sctp_chunk_hdr_t *iack_ch; 449 sctp_init_chunk_t *iack; 450 sctp_init_chunk_t *init; 451 sctp_hdr_t *iacksh; 452 size_t cookielen; 453 size_t iacklen; 454 size_t ipsctplen; 455 size_t errlen = 0; 456 sctp_parm_hdr_t *cookieph; 457 mblk_t *iackmp; 458 uint32_t itag; 459 uint32_t itsn; 460 int64_t *now; 461 int64_t nowt; 462 uint32_t *lifetime; 463 char *p; 464 boolean_t isv4; 465 int supp_af = 0; 466 uint_t sctp_options; 467 uint32_t *ttag; 468 int pad; 469 mblk_t *errmp = NULL; 470 boolean_t initcollision = B_FALSE; 471 boolean_t linklocal = B_FALSE; 472 cred_t *cr; 473 ts_label_t *initlabel; 474 sctp_stack_t *sctps = sctp->sctp_sctps; 475 476 BUMP_LOCAL(sctp->sctp_ibchunks); 477 isv4 = (IPH_HDR_VERSION(initmp->b_rptr) == IPV4_VERSION); 478 479 /* Extract the INIT chunk */ 480 if (isv4) { 481 initiph = (ipha_t *)initmp->b_rptr; 482 ipsctplen = sctp->sctp_ip_hdr_len; 483 supp_af |= PARM_SUPP_V4; 484 } else { 485 initip6h = (ip6_t *)initmp->b_rptr; 486 ipsctplen = sctp->sctp_ip_hdr6_len; 487 if (IN6_IS_ADDR_LINKLOCAL(&initip6h->ip6_src)) 488 linklocal = B_TRUE; 489 supp_af |= PARM_SUPP_V6; 490 } 491 ASSERT(OK_32PTR(initsh)); 492 init = (sctp_init_chunk_t *)((char *)(initsh + 1) + sizeof (*iack_ch)); 493 494 /* Make sure we like the peer's parameters */ 495 if (validate_init_params(sctp, ch, init, initmp, NULL, &errmp, 496 &supp_af, &sctp_options) == 0) { 497 return; 498 } 499 if (errmp != NULL) 500 errlen = msgdsize(errmp); 501 if (sctp->sctp_family == AF_INET) { 502 /* 503 * Irregardless of the supported address in the INIT, v4 504 * must be supported. 505 */ 506 supp_af = PARM_SUPP_V4; 507 } 508 if (sctp->sctp_state <= SCTPS_LISTEN) { 509 /* normal, expected INIT: generate new vtag and itsn */ 510 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 511 if (itag == 0) 512 itag = (uint32_t)gethrtime(); 513 itsn = itag + 1; 514 itag = htonl(itag); 515 } else if (sctp->sctp_state == SCTPS_COOKIE_WAIT || 516 sctp->sctp_state == SCTPS_COOKIE_ECHOED) { 517 /* init collision; copy vtag and itsn from sctp */ 518 itag = sctp->sctp_lvtag; 519 itsn = sctp->sctp_ltsn; 520 /* 521 * In addition we need to send all the params that was sent 522 * in our INIT chunk. Essentially, it is only the supported 523 * address params that we need to add. 524 */ 525 initcollision = B_TRUE; 526 /* 527 * When we sent the INIT, we should have set linklocal in 528 * the sctp which should be good enough. 529 */ 530 if (linklocal) 531 linklocal = B_FALSE; 532 } else { 533 /* peer restart; generate new vtag but keep everything else */ 534 (void) random_get_pseudo_bytes((uint8_t *)&itag, sizeof (itag)); 535 if (itag == 0) 536 itag = (uint32_t)gethrtime(); 537 itag = htonl(itag); 538 itsn = sctp->sctp_ltsn; 539 } 540 541 /* 542 * Allocate a mblk for the INIT ACK, consisting of the link layer 543 * header, the IP header, the SCTP common header, and INIT ACK chunk, 544 * and finally the COOKIE parameter. 545 */ 546 cookielen = SCTP_CALC_COOKIE_LEN(ch); 547 iacklen = sizeof (*iack_ch) + sizeof (*iack) + cookielen; 548 if (sctp->sctp_send_adaptation) 549 iacklen += (sizeof (sctp_parm_hdr_t) + sizeof (uint32_t)); 550 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 551 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 552 iacklen += sctp_options_param_len(sctp, SCTP_PRSCTP_OPTION); 553 } 554 if (initcollision) 555 iacklen += sctp_supaddr_param_len(sctp); 556 if (!linklocal) 557 iacklen += sctp_addr_params(sctp, supp_af, NULL, B_FALSE); 558 ipsctplen += sizeof (*iacksh) + iacklen; 559 iacklen += errlen; 560 if ((pad = ipsctplen % 4) != 0) { 561 pad = 4 - pad; 562 ipsctplen += pad; 563 } 564 565 /* 566 * If the listen socket is bound to a trusted extensions 567 * multi-label port, attach a copy of the listener's cred 568 * to the new INITACK mblk. Modify the cred to contain 569 * the security label of the received INIT packet. 570 * If not a multi-label port, attach the unmodified 571 * listener's cred directly. 572 * 573 * We expect Sun developed kernel modules to properly set 574 * cred labels for sctp connections. We can't be so sure this 575 * will be done correctly when 3rd party kernel modules 576 * directly use sctp. The initlabel panic guard logic was 577 * added to cover this possibility. 578 */ 579 if (sctp->sctp_connp->conn_mlp_type != mlptSingle) { 580 initlabel = MBLK_GETLABEL(initmp); 581 if (initlabel == NULL) { 582 sctp_send_abort(sctp, sctp_init2vtag(ch), 583 SCTP_ERR_UNKNOWN, NULL, 0, initmp, 0, B_FALSE); 584 return; 585 } 586 cr = copycred_from_bslabel(CONN_CRED(sctp->sctp_connp), 587 &initlabel->tsl_label, initlabel->tsl_doi, KM_NOSLEEP); 588 if (cr == NULL) { 589 sctp_send_abort(sctp, sctp_init2vtag(ch), 590 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 591 return; 592 } 593 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, cr); 594 crfree(cr); 595 } else { 596 iackmp = allocb_cred(ipsctplen + sctps->sctps_wroff_xtra, 597 CONN_CRED(sctp->sctp_connp)); 598 } 599 if (iackmp == NULL) { 600 sctp_send_abort(sctp, sctp_init2vtag(ch), 601 SCTP_ERR_NO_RESOURCES, NULL, 0, initmp, 0, B_FALSE); 602 return; 603 } 604 605 /* Copy in the [imcomplete] IP/SCTP composite header */ 606 p = (char *)(iackmp->b_rptr + sctps->sctps_wroff_xtra); 607 iackmp->b_rptr = (uchar_t *)p; 608 if (isv4) { 609 bcopy(sctp->sctp_iphc, p, sctp->sctp_hdr_len); 610 iackiph = (ipha_t *)p; 611 612 /* Copy the peer's IP addr */ 613 iackiph->ipha_dst = initiph->ipha_src; 614 iackiph->ipha_src = initiph->ipha_dst; 615 iackiph->ipha_length = htons(ipsctplen + errlen); 616 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr_len); 617 } else { 618 bcopy(sctp->sctp_iphc6, p, sctp->sctp_hdr6_len); 619 iackip6h = (ip6_t *)p; 620 621 /* Copy the peer's IP addr */ 622 iackip6h->ip6_dst = initip6h->ip6_src; 623 iackip6h->ip6_src = initip6h->ip6_dst; 624 iackip6h->ip6_plen = htons(ipsctplen - sizeof (*iackip6h) + 625 errlen); 626 iacksh = (sctp_hdr_t *)(p + sctp->sctp_ip_hdr6_len); 627 } 628 ASSERT(OK_32PTR(iacksh)); 629 630 /* Fill in the holes in the SCTP common header */ 631 iacksh->sh_sport = initsh->sh_dport; 632 iacksh->sh_dport = initsh->sh_sport; 633 iacksh->sh_verf = init->sic_inittag; 634 635 /* INIT ACK chunk header */ 636 iack_ch = (sctp_chunk_hdr_t *)(iacksh + 1); 637 iack_ch->sch_id = CHUNK_INIT_ACK; 638 iack_ch->sch_flags = 0; 639 iack_ch->sch_len = htons(iacklen); 640 641 /* The INIT ACK itself */ 642 iack = (sctp_init_chunk_t *)(iack_ch + 1); 643 iack->sic_inittag = itag; /* already in network byteorder */ 644 iack->sic_inittsn = htonl(itsn); 645 646 iack->sic_a_rwnd = htonl(sctp->sctp_rwnd); 647 /* Advertise what we would want to have as stream #'s */ 648 iack->sic_outstr = htons(MIN(sctp->sctp_num_ostr, 649 ntohs(init->sic_instr))); 650 iack->sic_instr = htons(sctp->sctp_num_istr); 651 652 p = (char *)(iack + 1); 653 p += sctp_adaptation_code_param(sctp, (uchar_t *)p); 654 if (initcollision) 655 p += sctp_supaddr_param(sctp, (uchar_t *)p); 656 if (!linklocal) 657 p += sctp_addr_params(sctp, supp_af, (uchar_t *)p, B_FALSE); 658 if (((sctp_options & SCTP_PRSCTP_OPTION) || initcollision) && 659 sctp->sctp_prsctp_aware && sctps->sctps_prsctp_enabled) { 660 p += sctp_options_param(sctp, p, SCTP_PRSCTP_OPTION); 661 } 662 /* 663 * Generate and lay in the COOKIE parameter. 664 * 665 * Any change here that results in a change of location for 666 * the peer's orig source address must be propagated to the fn 667 * cl_sctp_cookie_paddr() above. 668 * 669 * The cookie consists of: 670 * 1. The relative timestamp for the cookie (lbolt64) 671 * 2. The cookie lifetime (uint32_t) in tick 672 * 3. The local tie-tag 673 * 4. The peer tie-tag 674 * 5. Peer's original src, used to confirm the validity of address. 675 * 6. Our INIT ACK chunk, less any parameters 676 * 7. The INIT chunk (may contain parameters) 677 * 8. 128-bit MD5 signature. 678 * 679 * Since the timestamp values will only be evaluated locally, we 680 * don't need to worry about byte-ordering them. 681 */ 682 cookieph = (sctp_parm_hdr_t *)p; 683 cookieph->sph_type = htons(PARM_COOKIE); 684 cookieph->sph_len = htons(cookielen); 685 686 /* timestamp */ 687 now = (int64_t *)(cookieph + 1); 688 nowt = lbolt64; 689 bcopy(&nowt, now, sizeof (*now)); 690 691 /* cookie lifetime -- need configuration */ 692 lifetime = (uint32_t *)(now + 1); 693 *lifetime = sctp->sctp_cookie_lifetime; 694 695 /* Set the tie-tags */ 696 ttag = (uint32_t *)(lifetime + 1); 697 if (sctp->sctp_state <= SCTPS_COOKIE_WAIT) { 698 *ttag = 0; 699 ttag++; 700 *ttag = 0; 701 ttag++; 702 } else { 703 /* local tie-tag (network byte-order) */ 704 *ttag = sctp->sctp_lvtag; 705 ttag++; 706 /* peer tie-tag (network byte-order) */ 707 *ttag = sctp->sctp_fvtag; 708 ttag++; 709 } 710 /* 711 * Copy in peer's original source address so that we can confirm 712 * the reachability later. 713 */ 714 p = (char *)ttag; 715 if (isv4) { 716 in6_addr_t peer_addr; 717 718 IN6_IPADDR_TO_V4MAPPED(iackiph->ipha_dst, &peer_addr); 719 bcopy(&peer_addr, p, sizeof (in6_addr_t)); 720 } else { 721 bcopy(&iackip6h->ip6_dst, p, sizeof (in6_addr_t)); 722 } 723 p += sizeof (in6_addr_t); 724 /* Copy in our INIT ACK chunk */ 725 bcopy(iack, p, sizeof (*iack)); 726 iack = (sctp_init_chunk_t *)p; 727 /* Set the # of streams we'll end up using */ 728 iack->sic_outstr = MIN(sctp->sctp_num_ostr, ntohs(init->sic_instr)); 729 iack->sic_instr = MIN(sctp->sctp_num_istr, ntohs(init->sic_outstr)); 730 p += sizeof (*iack); 731 732 /* Copy in the peer's INIT chunk */ 733 bcopy(ch, p, ntohs(ch->sch_len)); 734 p += ntohs(ch->sch_len); 735 736 /* 737 * Calculate the HMAC ICV into the digest slot in buf. 738 * First, generate a new secret if the current secret is 739 * older than the new secret lifetime parameter permits, 740 * copying the current secret to sctp_old_secret. 741 */ 742 if (sctps->sctps_new_secret_interval > 0 && 743 (sctp->sctp_last_secret_update + 744 MSEC_TO_TICK(sctps->sctps_new_secret_interval)) <= nowt) { 745 bcopy(sctp->sctp_secret, sctp->sctp_old_secret, 746 SCTP_SECRET_LEN); 747 (void) random_get_pseudo_bytes(sctp->sctp_secret, 748 SCTP_SECRET_LEN); 749 sctp->sctp_last_secret_update = nowt; 750 } 751 752 hmac_md5((uchar_t *)now, cookielen - sizeof (*cookieph) - 16, 753 (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, (uchar_t *)p); 754 755 iackmp->b_wptr = iackmp->b_rptr + ipsctplen; 756 iackmp->b_cont = errmp; /* OK if NULL */ 757 758 if (is_system_labeled() && (cr = DB_CRED(iackmp)) != NULL && 759 crgetlabel(cr) != NULL) { 760 conn_t *connp = sctp->sctp_connp; 761 int err; 762 763 if (isv4) 764 err = tsol_check_label(cr, &iackmp, 765 connp->conn_mac_exempt, 766 sctps->sctps_netstack->netstack_ip); 767 else 768 err = tsol_check_label_v6(cr, &iackmp, 769 connp->conn_mac_exempt, 770 sctps->sctps_netstack->netstack_ip); 771 if (err != 0) { 772 sctp_send_abort(sctp, sctp_init2vtag(ch), 773 SCTP_ERR_AUTH_ERR, NULL, 0, initmp, 0, B_FALSE); 774 freemsg(iackmp); 775 return; 776 } 777 } 778 779 /* 780 * Stash the conn ptr info. for IP only as e don't have any 781 * cached IRE. 782 */ 783 SCTP_STASH_IPINFO(iackmp, (ire_t *)NULL); 784 785 /* XXX sctp == sctp_g_q, so using its obchunks is valid */ 786 BUMP_LOCAL(sctp->sctp_opkts); 787 BUMP_LOCAL(sctp->sctp_obchunks); 788 789 /* OK to call IP_PUT() here instead of sctp_add_sendq(). */ 790 CONN_INC_REF(sctp->sctp_connp); 791 iackmp->b_flag |= MSGHASREF; 792 IP_PUT(iackmp, sctp->sctp_connp, isv4); 793 } 794 795 void 796 sctp_send_cookie_ack(sctp_t *sctp) 797 { 798 sctp_chunk_hdr_t *cach; 799 mblk_t *camp; 800 sctp_stack_t *sctps = sctp->sctp_sctps; 801 802 camp = sctp_make_mp(sctp, NULL, sizeof (*cach)); 803 if (camp == NULL) { 804 /* XXX should abort, but don't have the inmp anymore */ 805 SCTP_KSTAT(sctps, sctp_send_cookie_ack_failed); 806 return; 807 } 808 809 cach = (sctp_chunk_hdr_t *)camp->b_wptr; 810 camp->b_wptr = (uchar_t *)(cach + 1); 811 cach->sch_id = CHUNK_COOKIE_ACK; 812 cach->sch_flags = 0; 813 cach->sch_len = htons(sizeof (*cach)); 814 815 sctp_set_iplen(sctp, camp); 816 817 BUMP_LOCAL(sctp->sctp_obchunks); 818 819 sctp_add_sendq(sctp, camp); 820 } 821 822 static int 823 sctp_find_al_ind(sctp_parm_hdr_t *sph, ssize_t len, uint32_t *adaptation_code) 824 { 825 826 if (len < sizeof (*sph)) 827 return (-1); 828 while (sph != NULL) { 829 if (sph->sph_type == htons(PARM_ADAPT_LAYER_IND) && 830 ntohs(sph->sph_len) >= (sizeof (*sph) + 831 sizeof (uint32_t))) { 832 *adaptation_code = *(uint32_t *)(sph + 1); 833 return (0); 834 } 835 sph = sctp_next_parm(sph, &len); 836 } 837 return (-1); 838 } 839 840 void 841 sctp_send_cookie_echo(sctp_t *sctp, sctp_chunk_hdr_t *iackch, mblk_t *iackmp) 842 { 843 mblk_t *cemp; 844 mblk_t *mp = NULL; 845 mblk_t *head; 846 mblk_t *meta; 847 sctp_faddr_t *fp; 848 sctp_chunk_hdr_t *cech; 849 sctp_init_chunk_t *iack; 850 int32_t cansend; 851 int32_t seglen; 852 size_t ceclen; 853 sctp_parm_hdr_t *cph; 854 sctp_data_hdr_t *sdc; 855 sctp_tf_t *tf; 856 int pad = 0; 857 int hdrlen; 858 mblk_t *errmp = NULL; 859 uint_t sctp_options; 860 int error; 861 uint16_t old_num_str; 862 sctp_stack_t *sctps = sctp->sctp_sctps; 863 864 iack = (sctp_init_chunk_t *)(iackch + 1); 865 866 cph = NULL; 867 if (validate_init_params(sctp, iackch, iack, iackmp, &cph, &errmp, 868 &pad, &sctp_options) == 0) { /* result in 'pad' ignored */ 869 BUMP_MIB(&sctps->sctps_mib, sctpAborted); 870 sctp_assoc_event(sctp, SCTP_CANT_STR_ASSOC, 0, NULL); 871 sctp_clean_death(sctp, ECONNABORTED); 872 return; 873 } 874 ASSERT(cph != NULL); 875 876 ASSERT(sctp->sctp_cookie_mp == NULL); 877 878 /* Got a cookie to echo back; allocate an mblk */ 879 ceclen = sizeof (*cech) + ntohs(cph->sph_len) - sizeof (*cph); 880 if ((pad = ceclen & (SCTP_ALIGN - 1)) != 0) 881 pad = SCTP_ALIGN - pad; 882 883 if (IPH_HDR_VERSION(iackmp->b_rptr) == IPV4_VERSION) 884 hdrlen = sctp->sctp_hdr_len; 885 else 886 hdrlen = sctp->sctp_hdr6_len; 887 888 cemp = allocb(sctps->sctps_wroff_xtra + hdrlen + ceclen + pad, 889 BPRI_MED); 890 if (cemp == NULL) { 891 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 892 sctp->sctp_current->rto); 893 if (errmp != NULL) 894 freeb(errmp); 895 return; 896 } 897 cemp->b_rptr += (sctps->sctps_wroff_xtra + hdrlen); 898 899 /* Process the INIT ACK */ 900 sctp->sctp_sctph->sh_verf = iack->sic_inittag; 901 sctp->sctp_sctph6->sh_verf = iack->sic_inittag; 902 sctp->sctp_fvtag = iack->sic_inittag; 903 sctp->sctp_ftsn = ntohl(iack->sic_inittsn); 904 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 905 sctp->sctp_fcsn = sctp->sctp_lastacked; 906 sctp->sctp_frwnd = ntohl(iack->sic_a_rwnd); 907 908 /* 909 * Populate sctp with addresses given in the INIT ACK or IP header. 910 * Need to set the df bit in the current fp as it has been cleared 911 * in sctp_connect(). 912 */ 913 sctp->sctp_current->df = B_TRUE; 914 /* 915 * Since IP uses this info during the fanout process, we need to hold 916 * the lock for this hash line while performing this operation. 917 */ 918 /* XXX sctp_conn_fanout + SCTP_CONN_HASH(sctps, sctp->sctp_ports); */ 919 ASSERT(sctp->sctp_conn_tfp != NULL); 920 tf = sctp->sctp_conn_tfp; 921 /* sctp isn't a listener so only need to hold conn fanout lock */ 922 mutex_enter(&tf->tf_lock); 923 if (sctp_get_addrparams(sctp, NULL, iackmp, iackch, NULL) != 0) { 924 mutex_exit(&tf->tf_lock); 925 freeb(cemp); 926 SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current, 927 sctp->sctp_current->rto); 928 if (errmp != NULL) 929 freeb(errmp); 930 return; 931 } 932 mutex_exit(&tf->tf_lock); 933 934 fp = sctp->sctp_current; 935 936 /* 937 * There could be a case when we get an INIT-ACK again, if the INIT 938 * is re-transmitted, for e.g., which means we would have already 939 * allocated this resource earlier (also for sctp_instr). In this 940 * case we check and re-allocate, if necessary. 941 */ 942 old_num_str = sctp->sctp_num_ostr; 943 if (ntohs(iack->sic_instr) < sctp->sctp_num_ostr) 944 sctp->sctp_num_ostr = ntohs(iack->sic_instr); 945 if (sctp->sctp_ostrcntrs == NULL) { 946 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 947 sctp->sctp_num_ostr, KM_NOSLEEP); 948 } else { 949 ASSERT(old_num_str > 0); 950 if (old_num_str != sctp->sctp_num_ostr) { 951 kmem_free(sctp->sctp_ostrcntrs, sizeof (uint16_t) * 952 old_num_str); 953 sctp->sctp_ostrcntrs = kmem_zalloc(sizeof (uint16_t) * 954 sctp->sctp_num_ostr, KM_NOSLEEP); 955 } 956 } 957 if (sctp->sctp_ostrcntrs == NULL) { 958 freeb(cemp); 959 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 960 if (errmp != NULL) 961 freeb(errmp); 962 return; 963 } 964 965 /* 966 * Allocate the in stream tracking array. Comments for sctp_ostrcntrs 967 * hold here too. 968 */ 969 old_num_str = sctp->sctp_num_istr; 970 if (ntohs(iack->sic_outstr) < sctp->sctp_num_istr) 971 sctp->sctp_num_istr = ntohs(iack->sic_outstr); 972 if (sctp->sctp_instr == NULL) { 973 sctp->sctp_instr = kmem_zalloc(sizeof (*sctp->sctp_instr) * 974 sctp->sctp_num_istr, KM_NOSLEEP); 975 } else { 976 ASSERT(old_num_str > 0); 977 if (old_num_str != sctp->sctp_num_istr) { 978 kmem_free(sctp->sctp_instr, 979 sizeof (*sctp->sctp_instr) * old_num_str); 980 sctp->sctp_instr = kmem_zalloc( 981 sizeof (*sctp->sctp_instr) * sctp->sctp_num_istr, 982 KM_NOSLEEP); 983 } 984 } 985 if (sctp->sctp_instr == NULL) { 986 kmem_free(sctp->sctp_ostrcntrs, 987 sizeof (uint16_t) * sctp->sctp_num_ostr); 988 freeb(cemp); 989 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 990 if (errmp != NULL) 991 freeb(errmp); 992 return; 993 } 994 995 if (!(sctp_options & SCTP_PRSCTP_OPTION) && sctp->sctp_prsctp_aware) 996 sctp->sctp_prsctp_aware = B_FALSE; 997 998 if (sctp_find_al_ind((sctp_parm_hdr_t *)(iack + 1), 999 ntohs(iackch->sch_len) - (sizeof (*iackch) + sizeof (*iack)), 1000 &sctp->sctp_rx_adaptation_code) == 0) { 1001 sctp->sctp_recv_adaptation = 1; 1002 } 1003 1004 cech = (sctp_chunk_hdr_t *)cemp->b_rptr; 1005 ASSERT(OK_32PTR(cech)); 1006 cech->sch_id = CHUNK_COOKIE; 1007 cech->sch_flags = 0; 1008 cech->sch_len = htons(ceclen); 1009 1010 /* Copy the cookie (less the parm hdr) to the chunk */ 1011 bcopy(cph + 1, cech + 1, ceclen - sizeof (*cph)); 1012 1013 cemp->b_wptr = cemp->b_rptr + ceclen; 1014 1015 if (sctp->sctp_unsent > 0) { 1016 sctp_msg_hdr_t *smh; 1017 mblk_t *prev = NULL; 1018 uint32_t unsent = 0; 1019 1020 mp = sctp->sctp_xmit_unsent; 1021 do { 1022 smh = (sctp_msg_hdr_t *)mp->b_rptr; 1023 if (smh->smh_sid >= sctp->sctp_num_ostr) { 1024 unsent += smh->smh_msglen; 1025 if (prev != NULL) 1026 prev->b_next = mp->b_next; 1027 else 1028 sctp->sctp_xmit_unsent = mp->b_next; 1029 mp->b_next = NULL; 1030 sctp_sendfail_event(sctp, mp, SCTP_ERR_BAD_SID, 1031 B_FALSE); 1032 if (prev != NULL) 1033 mp = prev->b_next; 1034 else 1035 mp = sctp->sctp_xmit_unsent; 1036 } else { 1037 prev = mp; 1038 mp = mp->b_next; 1039 } 1040 } while (mp != NULL); 1041 if (unsent > 0) { 1042 ASSERT(sctp->sctp_unsent >= unsent); 1043 sctp->sctp_unsent -= unsent; 1044 /* 1045 * Update ULP the amount of queued data, which is 1046 * sent-unack'ed + unsent. 1047 * This is not necessary, but doesn't harm, we 1048 * just use unsent instead of sent-unack'ed + 1049 * unsent, since there won't be any sent-unack'ed 1050 * here. 1051 */ 1052 if (!SCTP_IS_DETACHED(sctp)) { 1053 sctp->sctp_ulp_xmitted(sctp->sctp_ulpd, 1054 sctp->sctp_unsent); 1055 } 1056 } 1057 if (sctp->sctp_xmit_unsent == NULL) 1058 sctp->sctp_xmit_unsent_tail = NULL; 1059 } 1060 ceclen += pad; 1061 cansend = MIN(sctp->sctp_unsent, sctp->sctp_frwnd); 1062 meta = sctp_get_msg_to_send(sctp, &mp, NULL, &error, ceclen, 1063 cansend, NULL); 1064 /* 1065 * The error cannot be anything else since we could have an non-zero 1066 * error only if sctp_get_msg_to_send() tries to send a Forward 1067 * TSN which will not happen here. 1068 */ 1069 ASSERT(error == 0); 1070 if (meta == NULL) 1071 goto sendcookie; 1072 sctp->sctp_xmit_tail = meta; 1073 sdc = (sctp_data_hdr_t *)mp->b_rptr; 1074 seglen = ntohs(sdc->sdh_len); 1075 if ((ceclen + seglen) > fp->sfa_pmss || 1076 (seglen - sizeof (*sdc)) > cansend) { 1077 goto sendcookie; 1078 } 1079 /* OK, if this fails */ 1080 cemp->b_cont = dupmsg(mp); 1081 sendcookie: 1082 head = sctp_add_proto_hdr(sctp, fp, cemp, 0, NULL); 1083 if (head == NULL) { 1084 freemsg(cemp); 1085 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1086 if (errmp != NULL) 1087 freeb(errmp); 1088 SCTP_KSTAT(sctps, sctp_send_cookie_failed); 1089 return; 1090 } 1091 /* 1092 * Even if cookie-echo exceeds MTU for one of the hops, it'll 1093 * have a chance of getting there. 1094 */ 1095 if (fp->isv4) { 1096 ipha_t *iph = (ipha_t *)head->b_rptr; 1097 iph->ipha_fragment_offset_and_flags = 0; 1098 } 1099 BUMP_LOCAL(sctp->sctp_obchunks); 1100 1101 sctp->sctp_cookie_mp = dupmsg(head); 1102 /* Don't bundle, we will just resend init if this cookie is lost. */ 1103 if (sctp->sctp_cookie_mp == NULL) { 1104 if (cemp->b_cont != NULL) { 1105 freemsg(cemp->b_cont); 1106 cemp->b_cont = NULL; 1107 } 1108 } else if (cemp->b_cont != NULL) { 1109 ASSERT(mp != NULL && mp == meta->b_cont); 1110 SCTP_CHUNK_CLEAR_FLAGS(cemp->b_cont); 1111 cemp->b_wptr += pad; 1112 seglen -= sizeof (*sdc); 1113 SCTP_CHUNK_SENT(sctp, mp, sdc, fp, seglen, meta); 1114 } 1115 if (errmp != NULL) { 1116 if (cemp->b_cont == NULL) 1117 cemp->b_wptr += pad; 1118 linkb(head, errmp); 1119 } 1120 sctp->sctp_state = SCTPS_COOKIE_ECHOED; 1121 SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto); 1122 1123 sctp_set_iplen(sctp, head); 1124 sctp_add_sendq(sctp, head); 1125 } 1126 1127 int 1128 sctp_process_cookie(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *cmp, 1129 sctp_init_chunk_t **iackpp, sctp_hdr_t *insctph, int *recv_adaptation, 1130 in6_addr_t *peer_addr) 1131 { 1132 int32_t clen; 1133 size_t initplen; 1134 uchar_t *p; 1135 uchar_t *given_hash; 1136 uchar_t needed_hash[16]; 1137 int64_t ts; 1138 int64_t diff; 1139 uint32_t *lt; 1140 sctp_init_chunk_t *iack; 1141 sctp_chunk_hdr_t *initch; 1142 sctp_init_chunk_t *init; 1143 uint32_t *lttag; 1144 uint32_t *fttag; 1145 uint32_t ports; 1146 sctp_stack_t *sctps = sctp->sctp_sctps; 1147 1148 BUMP_LOCAL(sctp->sctp_ibchunks); 1149 /* Verify the ICV */ 1150 clen = ntohs(ch->sch_len) - sizeof (*ch) - 16; 1151 if (clen < 0) { 1152 dprint(1, ("invalid cookie chunk length %d\n", 1153 ntohs(ch->sch_len))); 1154 1155 return (-1); 1156 } 1157 p = (uchar_t *)(ch + 1); 1158 1159 hmac_md5(p, clen, (uchar_t *)sctp->sctp_secret, SCTP_SECRET_LEN, 1160 needed_hash); 1161 1162 /* The given hash follows the cookie data */ 1163 given_hash = p + clen; 1164 1165 if (bcmp(given_hash, needed_hash, 16) != 0) { 1166 /* The secret may have changed; try the old secret */ 1167 hmac_md5(p, clen, (uchar_t *)sctp->sctp_old_secret, 1168 SCTP_SECRET_LEN, needed_hash); 1169 if (bcmp(given_hash, needed_hash, 16) != 0) { 1170 return (-1); 1171 } 1172 } 1173 1174 /* Timestamp is int64_t, and we only guarantee 32-bit alignment */ 1175 bcopy(p, &ts, sizeof (ts)); 1176 /* Cookie life time, uint32_t */ 1177 lt = (uint32_t *)(p + sizeof (ts)); 1178 1179 /* 1180 * To quote PRC, "this is our baby", so let's continue. 1181 * We need to pull out the encapsulated INIT ACK and 1182 * INIT chunks. Note that we don't process these until 1183 * we have verified the timestamp, but we need them before 1184 * processing the timestamp since if the time check fails, 1185 * we need to get the verification tag from the INIT in order 1186 * to send a stale cookie error. 1187 */ 1188 lttag = (uint32_t *)(lt + 1); 1189 fttag = lttag + 1; 1190 if (peer_addr != NULL) 1191 bcopy(fttag + 1, peer_addr, sizeof (in6_addr_t)); 1192 iack = (sctp_init_chunk_t *)((char *)(fttag + 1) + sizeof (in6_addr_t)); 1193 initch = (sctp_chunk_hdr_t *)(iack + 1); 1194 init = (sctp_init_chunk_t *)(initch + 1); 1195 initplen = ntohs(initch->sch_len) - (sizeof (*init) + sizeof (*initch)); 1196 *iackpp = iack; 1197 *recv_adaptation = 0; 1198 1199 /* 1200 * Check the staleness of the Cookie, specified in 3.3.10.3 of 1201 * RFC 2960. 1202 * 1203 * The mesaure of staleness is the difference, in microseconds, 1204 * between the current time and the time the State Cookie expires. 1205 * So it is lbolt64 - (ts + *lt). If it is positive, it means 1206 * that the Cookie has expired. 1207 */ 1208 diff = lbolt64 - (ts + *lt); 1209 if (diff > 0 && (init->sic_inittag != sctp->sctp_fvtag || 1210 iack->sic_inittag != sctp->sctp_lvtag)) { 1211 uint32_t staleness; 1212 1213 staleness = TICK_TO_USEC(diff); 1214 staleness = htonl(staleness); 1215 sctp_send_abort(sctp, init->sic_inittag, SCTP_ERR_STALE_COOKIE, 1216 (char *)&staleness, sizeof (staleness), cmp, 1, B_FALSE); 1217 1218 dprint(1, ("stale cookie %d\n", staleness)); 1219 1220 return (-1); 1221 } 1222 1223 /* Check for attack by adding addresses to a restart */ 1224 bcopy(insctph, &ports, sizeof (ports)); 1225 if (sctp_secure_restart_check(cmp, initch, ports, KM_NOSLEEP, 1226 sctps) != 1) { 1227 return (-1); 1228 } 1229 1230 /* Look for adaptation code if there any parms in the INIT chunk */ 1231 if ((initplen >= sizeof (sctp_parm_hdr_t)) && 1232 (sctp_find_al_ind((sctp_parm_hdr_t *)(init + 1), initplen, 1233 &sctp->sctp_rx_adaptation_code) == 0)) { 1234 *recv_adaptation = 1; 1235 } 1236 1237 /* Examine tie-tags */ 1238 1239 if (sctp->sctp_state >= SCTPS_COOKIE_WAIT) { 1240 if (sctp->sctp_state == SCTPS_ESTABLISHED && 1241 init->sic_inittag == sctp->sctp_fvtag && 1242 iack->sic_inittag == sctp->sctp_lvtag && 1243 *fttag == 0 && *lttag == 0) { 1244 1245 dprint(1, ("duplicate cookie from %x:%x:%x:%x (%d)\n", 1246 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1247 (int)(sctp->sctp_fport))); 1248 return (-1); 1249 } 1250 1251 if (init->sic_inittag != sctp->sctp_fvtag && 1252 iack->sic_inittag != sctp->sctp_lvtag && 1253 *fttag == sctp->sctp_fvtag && 1254 *lttag == sctp->sctp_lvtag) { 1255 int i; 1256 1257 /* Section 5.2.4 case A: restart */ 1258 sctp->sctp_fvtag = init->sic_inittag; 1259 sctp->sctp_lvtag = iack->sic_inittag; 1260 1261 sctp->sctp_sctph->sh_verf = init->sic_inittag; 1262 sctp->sctp_sctph6->sh_verf = init->sic_inittag; 1263 1264 sctp->sctp_ftsn = ntohl(init->sic_inittsn); 1265 sctp->sctp_lastacked = sctp->sctp_ftsn - 1; 1266 sctp->sctp_frwnd = ntohl(init->sic_a_rwnd); 1267 sctp->sctp_fcsn = sctp->sctp_lastacked; 1268 1269 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1270 sctp->sctp_state = SCTPS_ESTABLISHED; 1271 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1272 } 1273 1274 dprint(1, ("sctp peer %x:%x:%x:%x (%d) restarted\n", 1275 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1276 (int)(sctp->sctp_fport))); 1277 /* reset parameters */ 1278 sctp_congest_reset(sctp); 1279 1280 /* reset stream bookkeeping */ 1281 sctp_instream_cleanup(sctp, B_FALSE); 1282 1283 sctp->sctp_istr_nmsgs = 0; 1284 sctp->sctp_rxqueued = 0; 1285 for (i = 0; i < sctp->sctp_num_ostr; i++) { 1286 sctp->sctp_ostrcntrs[i] = 0; 1287 } 1288 /* XXX flush xmit_list? */ 1289 1290 return (0); 1291 } else if (init->sic_inittag != sctp->sctp_fvtag && 1292 iack->sic_inittag == sctp->sctp_lvtag) { 1293 1294 /* Section 5.2.4 case B: INIT collision */ 1295 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1296 if (!sctp_initialize_params(sctp, init, iack)) 1297 return (-1); /* Drop? */ 1298 sctp->sctp_state = SCTPS_ESTABLISHED; 1299 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1300 } 1301 1302 dprint(1, ("init collision with %x:%x:%x:%x (%d)\n", 1303 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1304 (int)(sctp->sctp_fport))); 1305 1306 return (0); 1307 } else if (iack->sic_inittag != sctp->sctp_lvtag && 1308 init->sic_inittag == sctp->sctp_fvtag && 1309 *fttag == 0 && *lttag == 0) { 1310 1311 /* Section 5.2.4 case C: late COOKIE */ 1312 dprint(1, ("late cookie from %x:%x:%x:%x (%d)\n", 1313 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1314 (int)(sctp->sctp_fport))); 1315 return (-1); 1316 } else if (init->sic_inittag == sctp->sctp_fvtag && 1317 iack->sic_inittag == sctp->sctp_lvtag) { 1318 1319 /* 1320 * Section 5.2.4 case D: COOKIE ECHO retransmit 1321 * Don't check cookie lifetime 1322 */ 1323 dprint(1, ("cookie tags match from %x:%x:%x:%x (%d)\n", 1324 SCTP_PRINTADDR(sctp->sctp_current->faddr), 1325 (int)(sctp->sctp_fport))); 1326 if (sctp->sctp_state < SCTPS_ESTABLISHED) { 1327 if (!sctp_initialize_params(sctp, init, iack)) 1328 return (-1); /* Drop? */ 1329 sctp->sctp_state = SCTPS_ESTABLISHED; 1330 sctp->sctp_assoc_start_time = (uint32_t)lbolt; 1331 } 1332 return (0); 1333 } else { 1334 /* unrecognized case -- silently drop it */ 1335 return (-1); 1336 } 1337 } 1338 1339 return (0); 1340 } 1341 1342 /* 1343 * Similar to ip_fanout_sctp, except that the src addr(s) are drawn 1344 * from address parameters in an INIT ACK's address list. This 1345 * function is used when an INIT ACK is received but IP's fanout 1346 * function could not find a sctp via the normal lookup routine. 1347 * This can happen when a host sends an INIT ACK from a different 1348 * address than the INIT was sent to. 1349 * 1350 * Returns the sctp_t if found, or NULL if not found. 1351 */ 1352 sctp_t * 1353 sctp_addrlist2sctp(mblk_t *mp, sctp_hdr_t *sctph, sctp_chunk_hdr_t *ich, 1354 zoneid_t zoneid, sctp_stack_t *sctps) 1355 { 1356 int isv4; 1357 ipha_t *iph; 1358 ip6_t *ip6h; 1359 in6_addr_t dst; 1360 in6_addr_t src; 1361 sctp_parm_hdr_t *ph; 1362 ssize_t remaining; 1363 sctp_init_chunk_t *iack; 1364 uint32_t ports; 1365 sctp_t *sctp = NULL; 1366 1367 ASSERT(ich->sch_id == CHUNK_INIT_ACK); 1368 1369 isv4 = (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION); 1370 if (isv4) { 1371 iph = (ipha_t *)mp->b_rptr; 1372 IN6_IPADDR_TO_V4MAPPED(iph->ipha_dst, &dst); 1373 } else { 1374 ip6h = (ip6_t *)mp->b_rptr; 1375 dst = ip6h->ip6_dst; 1376 } 1377 1378 ports = *(uint32_t *)sctph; 1379 1380 dprint(1, ("sctp_addrlist2sctp: ports=%u, dst = %x:%x:%x:%x\n", 1381 ports, SCTP_PRINTADDR(dst))); 1382 1383 /* pull out any address parameters */ 1384 remaining = ntohs(ich->sch_len) - sizeof (*ich) - sizeof (*iack); 1385 if (remaining < sizeof (*ph)) { 1386 return (NULL); 1387 } 1388 1389 iack = (sctp_init_chunk_t *)(ich + 1); 1390 ph = (sctp_parm_hdr_t *)(iack + 1); 1391 1392 while (ph != NULL) { 1393 /* 1394 * params have been put in host byteorder by 1395 * sctp_check_input() 1396 */ 1397 if (ph->sph_type == PARM_ADDR4) { 1398 IN6_INADDR_TO_V4MAPPED((struct in_addr *)(ph + 1), 1399 &src); 1400 1401 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1402 sctps); 1403 1404 dprint(1, 1405 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1406 SCTP_PRINTADDR(src), (void *)sctp)); 1407 1408 1409 if (sctp != NULL) { 1410 return (sctp); 1411 } 1412 } else if (ph->sph_type == PARM_ADDR6) { 1413 src = *(in6_addr_t *)(ph + 1); 1414 sctp = sctp_conn_match(&src, &dst, ports, zoneid, 1415 sctps); 1416 1417 dprint(1, 1418 ("sctp_addrlist2sctp: src=%x:%x:%x:%x, sctp=%p\n", 1419 SCTP_PRINTADDR(src), (void *)sctp)); 1420 1421 if (sctp != NULL) { 1422 return (sctp); 1423 } 1424 } 1425 1426 ph = sctp_next_parm(ph, &remaining); 1427 } 1428 1429 return (NULL); 1430 } 1431